How to eliminate last few events in a Splunk searc...

Ananthu · ‎08-02-2022

I have a scenario that i'm getting N number of results for last 60min splunk search like below (5:00Pm to 06:00PM).

2022-08-02 17:59:45.203 CCL220727468
2022-08-02 17:59:40.555 CCL220711461
2022-08-02 17:59:34.985 CCL220727468
2022-08-02 17:59:22.080 CCL220727468
2022-08-02 17:59:02.638 CCL220727468
2022-08-02 17:14:02.734 CCL220707460
2022-08-02 17:11:29.456 CCL220729470
2022-08-02 17:04:52.780 CCL220729470

In that i need to exclude the events close to the end time (for eg. I need to exclude the events with timestamp > 05:55PM. The events at the edge of search end time is not required).
This is for setup an alert which shows the number of events in last 60min

gcusello · ‎08-02-2022

Hi @Ananthu,

there are different solutions to your problem, identify the one for you:

You could change the time search period:

Your_search earliest=-15m@m latest=-5m@m

or you could take only e.g. ten values starting from the beginning:

your_search
| reverse
| head 10

Ciao.

Giuseppe

How to eliminate last few events in a Splunk search?

search job inspector

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!